How to generate a self-signed certificate using pyOpenSSL

February 12, 2010

If you’ve got an embedded web server (I’m currently writing one that will be used to configure an application), and you don’t want to pass things in the clear, you’ll need to configure your web sever to use HTTPS. But for an embedded application, that can be tricky – https expects the hostname to be signed in the certificate, but you probably don’t know it until after your app is installed.

Here’s how you can create a self-signed certificate programatically in python.  You could just run this on application start-up.  Not that first you’ll need to install pyOpenSSL (if you have easy_install set up, it’s as easy as “easy_install pyopenssl”):


from OpenSSL import crypto, SSL
from socket import gethostname
from pprint import pprint
from time import gmtime, mktime
from os.path import exists, join

CERT_FILE = "myapp.crt"
KEY_FILE = "myapp.key"

def create_self_signed_cert(cert_dir):
    """
    If datacard.crt and datacard.key don't exist in cert_dir, create a new
    self-signed cert and keypair and write them into that directory.
    """

    if not exists(join(cert_dir, CERT_FILE)) \
            or not exists(join(cert_dir, KEY_FILE)):

        # create a key pair
        k = crypto.PKey()
        k.generate_key(crypto.TYPE_RSA, 1024)

        # create a self-signed cert
        cert = crypto.X509()
        cert.get_subject().C = "US"
        cert.get_subject().ST = "Minnesota"
        cert.get_subject().L = "Minnetonka"
        cert.get_subject().O = "my company"
        cert.get_subject().OU = "my organization"
        cert.get_subject().CN = gethostname()
        cert.set_serial_number(1000)
        cert.gmtime_adj_notBefore(0)
        cert.gmtime_adj_notAfter(10*365*24*60*60)
        cert.set_issuer(cert.get_subject())
        cert.set_pubkey(k)
        cert.sign(k, 'sha1')

        open(join(cert_dir, CERT_FILE), "wt").write(
            crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
        open(join(cert_dir, KEY_FILE), "wt").write(
            crypto.dump_privatekey(crypto.FILETYPE_PEM, k))
Advertisement
Posted by skippylovesmalorie
Filed in Uncategorized
1 Comment »

One Response to “How to generate a self-signed certificate using pyOpenSSL”

  1. Rajarathinam said
    July 20, 2011 at 3:34 pm

    sorry I want to know more reference.. Because Im need to make self signed certificate for my python application….
    Thanks in advance….

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.